We often have inquiries from customers that state that they are looking for “a Managed SOC/SIEM” as if the two are inherently interchangeable. And yet they are not. So what are they?
SOC stands for Security Operations Center. A SOC typically focuses on not only security operations (such as security device management) but also threat and vulnerability management, proactive monitoring and incident qualification. But it can mean many things to many people. One thing is clear though – a SOC is a business function encompassing a combination of people, processes and technology (whether you provide that function using internal staff, procedures and tools or you outsource it).
SIEM on the other hand stands for “Security Information and Event Management”. This allows for not only standardized consumption of log data from multiple security tools but also extended monitoring using custom log sources such as bespoke applications or niche products that are not used by the wider market. A SIEM is a security operations technology. But it is just that – technology – it does not run itself.
So why do they appear so often in the same breath? We believe this is a legacy thing and slowly it is starting to change. When detection and response as a concept was born (out of the fact that 100% prevention is impossible) a SIEM was effectively the only way to deliver such a function and so SOC teams adopted the SIEM as their tool of choice. As time goes on, however, a multitude of options exists. Even the SOC itself starts to split out into some sub-functions.
Orange Cyberdefense splits this into three definitive functions:
SOC – the operating centers that provide security device management and operational platform monitoring, implement changes and provide support and troubleshooting.
CyberSOC – the operating centers that provide proactive security incident monitoring, analysis and triage of alert data from different security technologies and provide an initial level of incident response (for example initial incident report, isolation of infected machines)
CERT – this is the Computer Emergency Response Team. This team operates both from central operating centers (as shown on the map below) but also has mobile members that conduct activities such as on-site incident response at customer locations/data centers. The CERT has within it, some differing functions:
Providing threat and vulnerability intelligence to customers and also to the other teams listed above
Providing a CSIRT function (Computer Security Incident Response Team)
Providing external monitoring of clients’ digital risk using various open-source information as well as information gained from underground forums / closed sites (for example, what is commonly known as the “Dark Web”, or to put it another way, sites not accessible from standard internet browsers).
Now we know the teams, what about the tools? We discussed the SIEM above, but it is no longer the only option for delivering effective detection and response. In fact, many organizations now start with the basics. This includes EDR.
EDR software monitors various endpoints (computers, servers, tablets, mobile phones, etc.), not the system network.
To do this, EDR software analyzes the uses made of the monitored endpoints, in particular through behavioral analysis. This enables the recognition of behaviors that deviate from a norm after a learning phase, or for behaviors that are consistent with common attacker behavior. EDR software is also capable of monitoring the exploitation of security flaws.
The advantage of EDR solutions is that they allow companies to protect themselves against both known (e.g., a virus) and unknown attacks by analyzing suspicious behaviors.
Complementing EDR in terms of delivering a basic detection and response functionality is NDR.
NDR software provides extended visibility to CyberSOC teams across the network to detect the behavior of potentially hidden attackers targeting physical, virtual, and cloud infrastructures. It complements the EDR and SIEM tools and more recently, these technologies have started to introduce selected log analysis using artificial intelligence and machine learning to complement the analysis of raw network traffic.
The NDR approach provides an overview and focuses on the interactions between the different nodes of the network. And where the network now extends beyond traditional data centers and into the cloud, into the world of Software-as-a-Service, this kind of visibility is crucial. EDR cannot be present everywhere.
XDR software seeks to bring together these approaches to help security teams solve threat visibility problems by centralizing, standardizing, and correlating security data from multiple sources. This approach increases detection capabilities compared to standalone endpoint detection and response tools (EDR). For example, XDR provides complete visibility by using network data to monitor vulnerable (unmanaged) endpoints that cannot be seen by EDR tools.
XDR analyzes data from multiple sources (email activity, endpoints, servers, networks, cloud streams, identity technologies such as AzureAD or single sign-on…) to validate alerts, reducing false positives and the overall volume of alerts. This stitching together of indicators from multiple sources allows XDR to improve the efficiency of security teams.
XDR does still, however, lack the depth of customization that can be achieved with SIEM tools.
EDR: provides a great level of detail but no coverage of unmanaged endpoints or endpoints that cannot run an agent (e.g. printers, serverless cloud environments).
NDR: has a very broad view of the hybrid cloud network and follows the use of identity across the business but does not monitor in great detail what is happening within endpoints.
XDR: breaks down the boundaries of detection perimeters, brings automation to accelerate investigations, and seeks to make detecting sophisticated attacks easier.
SIEM: takes longer to set up and more effort to maintain than any of the above approaches but crucially provides a far superior level of customization when required, as well as readily accessible raw log data.
We have one final acronym for you.
The acronym MDR stands for managed detection and response. MDR brings together the SOC function and the various above solutions to enable end-to-end addressing of cyber threats. MDR provides an outcome.
So if you find your mind wandering to the thought of “I need a Managed SIEM/SOC”, what you really should be considering is MDR!